Québec’s privacy commissioner, the Commission d’accès à l’information (CAI) recently announced that it will no longer publish the list of organizations that have reported confidentiality incidents. This announcement is logical given the current state of the law and the reality of incident management.

In a press release published on its website on May 27, 2025 (available here in French only), the CAI announced that it would end this practice, which was introduced in 2022 following the entry into force of the requirement that all organizations operating in Québec report to the CAI any confidentiality incidents involving a risk of serious harm to the individuals concerned; see this summary chart or this summary of requirements for more details.

Until recently, one could access a list on the CAI’s website that contained the names of entities that had notified the CAI of a confidentiality incident involving personal information. In addition to the names of these organizations, this list also contained the nature of these entities as well as the date of receipt of the incident report.

In its May 27 press release, the CAI announced that this orientation aimed to “enhance the protection of personal information of citizens affected by confidentiality incidents” by:

  • Minimizing the risk of harm to citizens.
  • Avoiding the disclosure of an existing vulnerability or cybersecurity issues.
  • Avoiding hindering the management of incidents by affected organizations.
  • Preserving the CAI’s oversight functions and powers, particularly for ongoing or future investigations.

The CAI did confirm, however, that it will continue to publish statistics regarding the privacy incident reports it receives from organizations.

This announcement seems logical to us given the current state of the law and the reality of incident management in Québec. On the one hand, apart from the Access to Information Act, which applies to the CAI as a public body, there is no specific legal regime dictating that the CAI must proactively publish reports it receives, including those concerning confidentiality incidents.

It is also interesting to note that the Commission is following in the footsteps of the Information and Privacy Commissioner of Alberta, who also ended this practice in 2024. On the other hand, any premature publication of information about a confidentiality incident, however limited, can hinder an organization’s crisis management process, encourage the malicious actor to exert pressure, or even further expose those affected.

Please do not hesitate to contact our Cyber security and Data Protection team if you have any questions about the implications of this announcement, your obligations regarding privacy incidents, or your organization’s broader compliance with personal information protection requirements.